AT&T: consumers should be kept in the dark--oh, and we kick puppies too.
The Electronic Frontier Foundation

The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG's office. The bill would also make Indiana the only state in the country to to require the attorney general to post a copy of each report to its Web site--so that consumers, members of the press, and academics would have a single place to go to in order to find out about data breaches.

At a State Senate committee meeting this morning, lobbyist after lobbyist criticized the provision. They claimed that by putting a list of breach notification reports online, the AG's office would provide phishers and other online fraudsters with ammunition with which to engage in phishing attacks. A lobbyist for Microsoft argued that phishing emails would be sent out to consumers, including a link to a real breach report on the AG's site, and then include a link to a fake website where consumers wishing to protect themselves from fraud would be tricked into inputting their personal information.

The state of New Hampshire already posts copies online of all breaches reported to its Department of Justice. The state has done this for the past year, yet in hours of searching, I've been unable to find a single phishing site or email that has referenced a breach report on the New Hampshire site. While New Hampshire regularly posts these reports, it is not required to by law, and only does so because someone in the attorney general's office is forward thinking and pro-consumer.

I spoke with Paul Stephens of the Privacy Rights Clearinghouse this afternoon to get his thoughts on the attempt by lobbyists to kill Indiana's breach Web site bill. When asked if PRC's site or reports located on it had been used by phishers, he dismissed the lobbyists' claims, and stated that "we have not heard of anything of that nature. All of the information on our site is otherwise available elsewhere, we are just creating a handy compilation of information." He added that "virtually every security breach already gets reported by the media."

Representative Matt Pierce
Indiana House of Representatives

In addition to the breach Web site requirement, the bill, also fixes a number of loopholes in the current breach notification law. The law, as currently written, exempts companies from having to notify consumers if a laptop containing customer data is stolen, as long as the laptop has a login password. This is extremely problematic, as a login password does nothing to protect the data if the hard disk is taken out of the computer. The proposed bill fixes this loophole, and requires instead that companies wishing to avoid breach notification use strong data encryption with an undisclosed key. As the law currently stands, an employee can have her Windows login password written on a post-it note stuck to her laptop, and yet the company will not be required to notify consumers.

I drove up to Indianapolis this morning, and testified before the Senate committee considering the bill. Apart from Representative Pierce, I was the sole voice calling for the bill's passage, while more than 10 lobbyists took turns at denouncing the bill as a gift to phishers and fraudsters.

While the encryption parts of the bill may end up passing, I suspect that the lobbyists may get their way, and kill the breach notification website requirement in the bill.

No matter what happens, this has been a fantastic experience for me, and a chance to see democracy in action (including the sordid world of lobbyists). A bill that I asked for and helped to draft passed through the house 94-0. I got to testify before a Senate committee, and with any luck, some of the loopholes in the existing law that I identified may be closed.